----- 17 cze 2015 o 16:21, Alexander Bokovoy [email protected] napisał(a):
> On Wed, 17 Jun 2015, Piotr Baranowski wrote: >>----- 17 cze 2015 o 15:51, Alexander Bokovoy [email protected] napisał(a): >> >>> On Wed, 17 Jun 2015, Piotr Baranowski wrote: >>>>----- Oryginalna wiadomość ----- >>>>> Od: "Alexander Bokovoy" <[email protected]> >>>>> So you have two different certificates in use here and your client >>>>> doesn't know about the other certificate (from your proxy). You need >>>>> either to deliver that certificate to the client by yourself or change >>>>> your proxying technology to something different. >>>>> >>>>> For example, you can use sniproxy which doesn't require in-the-middle >>>>> certificate. https://github.com/dlundquist/sniproxy >>>> >>>>Thanks for that hint. I'll have a look at that. >>>> >>>>However I have an Idea: >>>>If I could export ipa's mod_nss cert+key and then use them on my proxy >>>>running >>>>mod_ssl that probably could solve the issue. >>>> >>>>Right? >>> Sort of. Now you would have an issue of maintaining the certificate in >>> multiple locations which would make rotation of it "interesting", so to >>> say. >> >>Those would be only TWO certificates to manage. What's the challenge here? > FreeIPA uses certmonger to rotate certificates when time approaches > their expiration. Certmonger requests new certificate from the CA. In > case you copied the certificate to some other server, you would need to > manually maintain the other copy and there will be a period when IPA > webserver's certificate would already be rotated but yours isn't. > > Setting certmonger to rotate the same certificate from two locations > wouldn't work. > > I'm not saying it is hard, just that you should know what you are > dealing with and accept window of blackout. Good to know that. Thanks for the heads-up. I already exported the IPA CA cert, Server-Cert cert/key. I'll have to wait untill maintenance window before i reload my apache. Will keep you posted if that solved the problem. Piotr -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
